M8 (cipher) explained

M8
Designers:Hitachi
Publish Date:1999
Derived From:M6
Block Size:64 bits
Structure:Feistel network
Rounds:Variable

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.[1]

Like M6, M8 is a Feistel cipher with a block size of 64 bits. The round function can include 32-bit rotations, XORs, and modular addition, making it an early example of an ARX cipher.

The cipher features a variable number of rounds (any positive integer N), each of which has a structure determined by a round-specific "algorithm decision key". Making the rounds key-dependent is intended to make cryptanalysis more difficult (see FROG for a similar design philosophy).

Cipher description

The round count can be set to any positive integer N, but a round count of at least 10 is recommended. The key consists of four components: a 64-bit data key, 256-bit key expansion key, a set of N 24-bit algorithm decision keys, and a set of N 96-bit algorithm expansion keys.

The round function is used for both key expansion and encryption/decryption. The key expansion process transforms the 64-bit data key and 256-bit key expansion key into a 256-bit execution key, consisting of 4 pairs of 32-bit numbers

K
R0

,

K
L0

,...,

K
R3

,

K
L3
.

The cipher has a typical Feistel cipher design. First, the 64-bit input block is split into two 32-bit halves. In each round, the left half undergoes a key-dependent transformation, and is then combined with the right half. Finally, the halves are swapped. In total, the round function consists of a sequence of nine customizable operations and three bitwise rotations:

\begin{align} Ri+1&=Li\\ x&=Li\operatorname{op}1

K
Li\bmod

\\ y&=((x<<<S1)\operatorname{op}2x)\operatorname{op}3\alpha\\ z&=(((y<<<S2)\operatorname{op}4y)\operatorname{op}5\beta)\operatorname{op}6

K
Ri\bmod

\\ Li+1&=(((z<<<S3)\operatorname{op}7z)\operatorname{op}8\gamma)\operatorname{op}9Ri \end{align}

i

denotes the round number, which takes inputs

Li

and

Ri

.

\alpha,\beta,\gamma

are the three 32-bit words of the round's algorithm expansion key.
K
Ri\bmod

,

K
Li\bmod
are words from the execution key.

<<<

denotes a left bitwise rotation.

\operatorname{op}j

and

Sk

are defined by the 24-bit algorithm decision key as follows:
MSB                                      LSB
op1 op2 op3 op4 op5 op6 op7 op8 op9 S1 S2 S3

where op1 to op9 are each one bit (0 = addition mod 232, 1 = XOR) and S1 to S3 are five bits each.

Key expansion consists of eight cipher rounds, using the first eight algorithm decision and expansion keys, the key expansion key as the execution key, and the data key as the input block. The eight intermediate outputs,

L1,L2,...,L7,L8

are used as the eight components of the execution key
K
R0

,

K
L0

,...,

K
R3

,

K
L3
.

Cipher implementation

The following is an implementation of the cipher in Python.

  1. https://en.wikipedia.org/wiki/M8_(cipher)

M = 0xffffffff

def add(x, y): return (x + y) & M

def xor(x, y): return x ^ y

def rol(x, s): return ((x << s) | (x >> (32 - s))) & M

def m8_round(L, R, ri, k, adk, aek): """ One round of the algorithm.

L, R: input ri: round index k: 256-bit execution key adk: 24-bit algorithm decision key aek: 96-bit algorithm expansion key """

op = add, xor[(adk >> (23 - i)) & 1] for i in range(9)] S1 = (adk >> 10) & 0x1f S2 = (adk >> 5) & 0x1f S3 = (adk >> 0) & 0x1f A = (aek >> 64) & M B = (aek >> 32) & M C = (aek >> 0) & M KR = (k >> (32 + 64 * (3 - ri % 4))) & M KL = (k >> (0 + 64 * (3 - ri % 4))) & M

x = op[0](L, KL) y = op[2](op[1](rol(x, S1), x), A) z = op[5](op[4](op[3](rol(y, S2), y), B), KR) return op[8](op[7](op[6](rol(z, S3), z), C), R), L

def m8_keyexpand(dk, kek, adks, aeks): """ Key expansion.

dk: 64-bit data key kek: 256-bit key expansion key adks: algorithm decision keys aeks: algorithm expansion keys """

L = (dk >> 32) & M R = (dk >> 0) & M k = 0 for i in range(8): L, R = m8_round(L, R, i, kek, adks[i], aeks[i]) k |= (L << (32 * (7 - i))) return k

def m8_encrypt(data, N, dk, kek, adks, aeks): """ Encrypt one block with M8.

data: 64-bit input block N: number of rounds (must be >= 8) dk: 64-bit data key kek: 256-bit key expansion key adks: a list of N 24-bit algorithm decision keys aeks: a list of N 96-bit algorithm expansion keys """

ek = m8_keyexpand(dk, kek, adks, aeks) L = (data >> 32) & M R = (data >> 0) & M for i in range(N): L, R = m8_round(L, R, i, ek, adks[i], aeks[i]) return (L << 32) | R

  1. Published test vector from ISO/IEC 9979/0020

result = m8_encrypt(0x0000_0000_0000_0001, 126, 0x0123_4567_89AB_CDEF, 0, [0x848B6D, 0x8489BB, 0x84B762, 0x84EDA2] * 32, [0x0000_0001_0000_0000_0000_0000] * 126,)assert result

Test vectors

The published version of ISO/IEC 9979-0020 includes the following test data:

Cryptanalysis

The key-dependent behaviour of the cipher results in a large class of weak keys which expose the cipher to a range of attacks, including differential cryptanalysis, linear cryptanalysis and mod n cryptanalysis.[2]

Notes and References

  1. Web site: ISO/IEC9979-0020 Register Entry. ISO/IEC 9979 Register of Cryptographic Algorithms. Professor Chris Mitchell, Information Security Group, Royal Holloway, University of London.
  2. Toshio Tokita . Tsutomu Matsumoto . On Applicability of Differential Cryptanalysis, Linear Cryptanalysis and Mod n Cryptanalysis to an Encryption Algorithm M8 (ISO9979-20) . Ipsj Journal . 42 . 8 .